Apple macOS so secure some apps can't be easily deleted

Welcome to the Hotel California security model

An Apple macOS security process called System Integrity Protection can prevent certain apps from being easily uninstalled, which isn't ideal when the code may be vulnerable or malware.

System Integrity Protection, or SIP, has clear benefits for macOS security. Introduced in OS X El Capitan (10.11) in 2015, it applied a new security policy to every process running on the system.

SIP attempts to ensure that system binaries can only be modified by Apple's Software Update mechanism or by the app installer if the code is an Apple signed package. It also attempts to prevent runtime attachments and code injection.

Apart from past bugs, SIP – also referred to as "rootless" because of the attribute text used to designate SIP protection – has generally improved macOS security.

Because Apple's app sandboxing and app guidelines already prevent such behavior for apps distributed through the macOS App Store, SIP's primary impact has been on third-party developers distributing their apps outside of Apple's oversight.

Permissionless app distribution isn't possible on iOS without jailbreaking; but on macOS, developers can still distribute code without Apple's blessing, though signing apps with a valid developer identity helps.

The macOS app BlueStacks, which allows Android apps to run on Apple systems, is an example of an app that needs to operate outside of Apple's control because it installs a kernel extension (KEXT) to augment the capabilities of the macOS kernel.

And thanks to SIP, the app's KEXT resists deinstallation.

Howard Oakley, a former MacUser writer, analyzed the problem in a blog post on Tuesday, describing SIP in macOS High Sierra as "broken."

That may be something of an overstatement. In an email to The Register, Patrick Wardle, chief security researcher Synack, a computer security biz, said, "I don’t think it’s a security issue per se; rather just an annoyance."

High Sierra, Oakley explains, provides a new authorization mechanism for third-party kernel extensions, which Apple calls User-Approved Kernel Extension Loading. It blocks third-party kernel extensions from being installed and requires an explicit grant of permission through the Security & Privacy control panel.

Once the user authorizes the KEXT, Oakley says, High Sierra rolls it into a non-executable stub app that gets installed in /Library/StagedExtensions/Applications, where it gains protection from SIP through the addition of an extended attribute (xattr), com.apple.rootless.

Why is this "broken"? Simply put, Apple's security model allows the installation of software but not its removal, at least without jumping through some hoops.

Removal is possible if you restart in Recovery mode, which disables SIP on the volume in question and allows the lingering stub app to be removed. But it's not easy.

Oakley's concern is that users may be duped into authorizing the installation of malicious code, thereby allowing it to hide behind SIP protection, which would make the malware difficult to dislodge.

That's worthy of some concern, though a careless user is arguably more dangerous than an awkward security mechanism.

What may be more troubling is seeing macOS flirt with locked-down security model like iOS where the answer to a user's command is, "I'm sorry, Dave. I'm afraid I can't do that." ®